This site may earn affiliate commissions from the links on this page. Terms of use.

Update (1/30/2015): Verizon announced today that it would soon add a feature that allowed users to opt out of so-called supercookies that could not be deleted and followed them anywhere. Verizon has been roundly criticized for injecting headers into user traffic that third parties, including the ad network Turn, had been openly marketing and monetizing.

Whether Verizon’s settings will actually disable the supercookie or remove the “zombie” cookie option exploited in the story below is an open question. Its current major advertising partners provided useless removal tools that don’t function as advertised.

Original story follows:

When news broke last year that Verizon had deployed unremovable supercookies that could track its devices anywhere online, the company swore up and down that no, it didn’t use this information to third parties or use it in a manner that would compromise web privacy. New information has decisively demonstrated that these statements were untrue — and that Verizon may be actively colluding with third-party advertising agencies to enable this tracking.

Now, here’s how ad services are interacting with it. Visit a page from a Verizon device, and it will inject that header into your URL. That header can now be associated with a conventional cookie that’s part of standard cookie tracking.

Let’s say you visit a website that employs this method without the Verizon header. As detailed at Webpolicy.org, the system simply installs a standard tracking cookie. If you visit it with a Verizon header, the system sets a cookie ID that corresponds to the Verizon header. Remove the tracking cookie, and the system promptly reinstates it with the Verizon header. That’s why it’s being called a “zombie” cookie — it comes back once deleted.

No, the advertiser doesn’t know that UID=123456789 is John Doe from Maryland, but the advertising network can track everywhere that John Doe goes, every website he visits, and every page he touches. If you delete the tracking cookie it’s promptly reconstituted and reassociated with your profile. Full details are available at Mayer’s website, but the collateral damage is significant. Laptops tethered to cell phones on Verizon’s network, for example, can be infected by this process.

The company building these networks is called Turn — and while you’ve likely never heard of it, its partnership with Verizon means it’s increasingly likely to have heard of you.

Verizon’s advertising partner

Verizon’s chief partner in crime, or at least the most public user of this technology, is a company called Turn. Turn prominently advertises its capabilities as “Bringing sexy back to measurement” in a corporate event sponsored by Verizon in April of last year. At that event, marketers openly acknowledged that: “the goal is to have that one unified cross-platform media by allowing campaigns to target consumers on whatever device they’re using or whichever ad format it is.”

ProPublica reports that Turn holds auctions whenever you visit a website, selling the right to target you with ads within milliseconds of your arrival. The company claims to receive two million requests a minute for sales targets.

How the data can be used and what sets it apart from standard cookies.

Turn told ProPublica that it does not consider cookie-clearing or deleting a signal that people don’t wish to be tracked. Turn claims to offer an opt-out option, but extensive testing by both Mayer and ProPublica confirmed that the option is meaningless and does not work. Turn’s response to these discoveries was to claim that the opt-out does work, it just looks as if it doesn’t.

Either way, these practices by Turn make it impossible to stop the company from collecting data on you. Handed a Verizon header, no amount of work on your end can prevent the company from reconstituting your data and unique profile header.

The old adage about “If you don’t pay for the product, you are the product” is officially dead. In today’s world, you’re the product whether you pay for it or not.

Tagged In

Turn prominently advertises its capabilities as “Bringing sexy back to measurement”

Maybe more like rape.

Zunalter

No apparently doesn’t mean no anymore.

gannonmaitilde

just as Phillip replied I am stunned that a single mom able to earn $7203 in 4 weeks on the computer . navigate to this website

Ken

my step-sister mak.s $63 every hour on the internet . She has been fired for nine months but last month her paycheck was $14761 just working on the internet for a few hours. hop over to this web-site;.Turn…

Guest

Well . . . that would depend on your definition of NO.

Randall Collins

Maybe ‘no’ means ‘yes’. :-P

Roberto Tomás

if ISPs won’t create their own standards that disallow that here, and the government won’t force them to comply with standards, then Tor networks and torrent-based browsers are going to continue to become more common… which maybe isnt such a bad thing

Joel Hruska

Hilariously, Tor wouldn’t stop this. There is no mobile variant and no protection against this type of injection. If you tether to a laptop with a Verizon cell phone, I believe it will still bypass Tor.

EDIT: Might be wrong about this. HTTPS might not be tracked in the same way HTTP is. But you can still wind up with a zombie cookie stuck into a non-mobile device.

Roberto Tomás

I didnt think tor used https .. or that it used the headers at all. I thought it tunneled http over its own protocol! well, at least the bittorrent browser would be immune.

http://www.korioi.net/ Korios

Tor does not use HTTPS, it operates much lower at the TCP level (transport level) and its nodes are SOCKS proxies (session level) rather than HTTP proxies (these work much higher, at the application level). Id est Tor is application independent.

Evan Kennedy

I am thinking tor would work actually. Verizon would still inject the code into the header, but since tor is actually making the request to the site you need, the injected code would not be included within the additional request for the requested website.

http://code.deepinspace.net/ talonx

Tor will be forwarding the request, along with all the original headers, including the injected one.

http://www.korioi.net/ Korios

To my knowledge HTTPS and Tor are not synonyms.

ncgmac

I think you mean something more like a VPN or anonymous server hookups.

Evan Kennedy

Looks like vpn would help prevent them from getting your data as all they would get is encrypted information. Vpn will always win. Unless I am missing something…

http://moritzfriedrich.com/ Mo Friedrich

Yep. The end node. Theoretically, they could watch for encrypted traffic, check where it’s going (the only real problem with VPNs: you can follow the trace) and try to guess where the next request is going from there, given it is in Verizons or one of its partners networks, and attach a flag to it. That way, you will eventually catch the unencrypted traffic and can insert the header.

Evan Kennedy

Makes sense. Thanks man.

http://www.sirgcal.com/ SirGCal

One reason I don’t care for Verizon…

http://www.funstufftosee.com/ Dozerman

Looks like leaving Verizon was the best thing I could have ever done with my phone account.

Zepid

I don’t understand why this doesn’t require an opt-in and when opted-in why it doesn’t subsidize your bill like a Nelson Net-Ratings box subsidizes your cable.

Yea, just tried to opt out of Verizon’s crappy points gimmick. Called customer service to find out how to opt out. Rep said you will still accrue points even if you opt out? Privacy settings may not be fully reversed with third parties for a while. Guess, in these days of instant technology. It may take a while to notify third parties??

Techutante

Every time I hear something like, “Oh, it could take 3-6 weeks for your information to be removed from blah” or “Oh, we can’t make the computer stop doing blah” it’s because it was designed that way on purpose.

MoogleStiltzkin

i’m surprised they haven’t been sued yet. and for those companies who say trust them and they won’t abuse the fcc deal that would have allowed dual lane internet, well just look at this case scenario why we shouldn’t trust corporations to look out for the publics interests ;_; it’s like putting a fox in a hen house.

Mike

my sister mak.s $83 an hour on the laptop . She has been laid off for five months but last month her check was $17738 just working on the laptop for a few hours. website here;.Looks like…

Josh

Excellent article. Good investigative journalism. Keep up the good work!

http://www.ultimatexbmc.com/ Ultimatexbmc.com

COOKIES – love that monster

http://moritzfriedrich.com/ Mo Friedrich

Well, until now this is only used for ads. But imagine booking a flight soon, and wonder why the prices are higher than on your friends device which has never booked a flight online before?

ncgmac

Every thread has a name. Find the name of the thread that opens this file to read it and update the malware software to shut it down.

Joel Hruska

It’s passed as part of the HTML header. My understanding is, you’d be killing the browser itself.

Miserable Clown

What if you set the cookie in beforehand with a cookie manager?
Will it be overridden?

Will Ovtuth

The amount of insecurity we are being subjected to everyday by companys like this is astounding and disgusting, for all the money they rob us for. So what are the chances that these piggybacked advertising companys are NSA contractors?!?!?

Hiro Protaganist

I’m wondering if you found out the name of the cookie file being saved, and added to your preferred anti-virus/spyware program under an auto-block/delete/quarantine list, would that solve the problem, or will you just end up with hundreds of thousands of copies of the same file in your quarantine every day that you would have to clear?

I’m in the market for new broadband service in a market where Verizon provides service. As much as I’d prefer speeds like FIOS provides, Verizon will NOT be getting my business until it cancels this intrusive and invasive practice.

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.